Hi
Has a post-message-src directive being considered? From the
introduction in the specification:
"Content Security Policy is a declarative policy that lets the authors
(or server administrators) of a web application restrict from where
the application can load resources."
If the goal is to restrict WHERE data comes from, then the ability to
restrict message sources to be particular origins is in scope.
Additionally, this would be tremendously useful over the current style
of "check origin for every postMessage event".
shameless plug: We have found real vulnerabilities in the past with
this and had suggested using CSP (
http://www.cs.berkeley.edu/~devdatta/papers/w2sp10-primitives.pdf )
thanks
Devdatta